From patchwork Sun Apr 9 10:42:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Djalal Harouni X-Patchwork-Id: 9671497 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B55C0601EB for ; Sun, 9 Apr 2017 10:43:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 92F8628474 for ; Sun, 9 Apr 2017 10:43:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 87AEA284CF; Sun, 9 Apr 2017 10:43:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 6E8492847A for ; Sun, 9 Apr 2017 10:43:49 +0000 (UTC) Received: (qmail 1744 invoked by uid 550); 9 Apr 2017 10:43:47 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 32660 invoked from network); 9 Apr 2017 10:43:40 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=F7YG0xihv+U2G5rw7IQ5+2T3/7arfAJ7pTkUb0k7jfs=; b=GL8TPnA8Sutgutyfyyjhd4e3AYkYFIsj9a5IUOV5Z1xuVupKF94FfypJ9bouqdRilK DCQWqxBz5t5Gv3M80guUsZPjbKJKrS9B/rwxz4riNiLYcXdJDB409/5VdWPsmNq/Ld1S 0w7aWQTBfbSH0v2dljf5VUJp60gy0Nc9+bZnmewTKKw95VujrA1yLAtTfIYHlqDHHdYA xXBVDjnL4dUqAyhTo7lferwY51bPNd4Yk2DzDVrUdPceZ46xTMYOQbMNGsnnsncGECK9 THnTlPru1Zu6hYUeaapuUUEau94NSOVEhIDiyKHG6ODUnjn2RH4rfJC3LXZMXdGnswvo tcPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=F7YG0xihv+U2G5rw7IQ5+2T3/7arfAJ7pTkUb0k7jfs=; b=CGDJR9Y+CtK3PZPX60mtwHyuVT+2Lv0j5l8clyz7EQZep9rHun69J8FImleVeYaned IPfHqsV2MW5lbjPQHMytZa2+nPZnE17bX/COjboIi16kwX3mCRtGfU/65cVp+5+x6iRy UyNYIR0e29KI9+Cdst/gtF6SteTupe2PYWnx3mMh5KArLx0m3kjLZi40ZnZhfTKZuxZT 0glL50a/4Cd1Nnn+2Pp1s4Z6koRX5ihRKTHjTvQWfHB4vj8xrtvcE0F00aLd3kLSY2MV CPFivFNGaw+P6AJ6v5+mIDD7+Uqh/QJn/KVeNCqNWKNw0RtfASL1crE9FhUZCAMv0e+y 9A5A== X-Gm-Message-State: AN3rC/5hT23VuG+ZzBrOw4/+OPOD+WMkhIU1qnv1KxU40Jtd9JxOSSxXNCY655HI7XuLNA== X-Received: by 10.28.156.140 with SMTP id f134mr5598611wme.40.1491734608958; Sun, 09 Apr 2017 03:43:28 -0700 (PDT) From: Djalal Harouni To: Linux Kernel Mailing List , Andy Lutomirski , Kees Cook , Andrew Morton , kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org Cc: Linux API , Dongsu Park , Casey Schaufler , James Morris , , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Djalal Harouni Date: Sun, 9 Apr 2017 12:42:10 +0200 Message-Id: <1491734530-25002-4-git-send-email-tixxdz@gmail.com> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1491734530-25002-1-git-send-email-tixxdz@gmail.com> References: <1491734530-25002-1-git-send-email-tixxdz@gmail.com> Subject: [kernel-hardening] [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation X-Virus-Scanned: ClamAV using ClamSMTP Cc: Andy Lutomirski Cc: James Morris Cc: Tetsuo Handa Cc: Kees Cook Signed-off-by: Djalal Harouni --- Documentation/security/00-INDEX | 2 + Documentation/security/ModAutoRestrict.txt | 77 ++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 Documentation/security/ModAutoRestrict.txt diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX index 45c82fd..35dbdf0 100644 --- a/Documentation/security/00-INDEX +++ b/Documentation/security/00-INDEX @@ -24,3 +24,5 @@ tomoyo.txt - documentation on the TOMOYO Linux Security Module. IMA-templates.txt - documentation on the template management mechanism for IMA. +ModAutoRestrict.txt + - documentation on the ModAutoRestrict Linux Security Module. diff --git a/Documentation/security/ModAutoRestrict.txt b/Documentation/security/ModAutoRestrict.txt new file mode 100644 index 0000000..47acae8 --- /dev/null +++ b/Documentation/security/ModAutoRestrict.txt @@ -0,0 +1,77 @@ +ModAutoRestrict is a Linux Security Module that applies restrictions on +automatic module loading operations. This is selectable at build-time +with CONFIG_SECURITY_MODAUTORESTRICT, and can be controlled at run-time +through sysctls in /proc/sys/kernel/modautorestrict/autoload or as a +per-process setting via a prctl() interface. + +=========================================== + +A userspace request to use a kernel feature that is implemented by modules +that are not loaded may trigger the module auto-load feature to load +these modules in order to satisfy userspace. However as today's Linux use +cases cover embedded systems to containers where applications are running +in their own separate environments, reducing or preventing operations +that may affect external environments is an important constraint. +Therefore, we need a way to control if automatic module loading is +allowed or which applications are allowed to trigger the module +auto-load feature. + +The ModAutoRestrict LSM allows system administrators or sandbox +mechanisms to control the module auto-load feature and prevent loading +unneeded modules or abuse the interface. + +The settings can be applied globally using a sysctl interface which +completes the core kernel interface "modules_disable". + +The feature is also available as a prctl() interface. This allows to +apply restrictions when sandboxing processes. On embedded Linux systems, +or containers where only some containers/processes should have the +right privileges to load modules, this allows to restrict those +processes from inserting modules. Only privileged processes can be +allowed to perform so. A more restrictive access can be applied where +the module autoload feature is completely disabled. +In this schema the access rules are per-process and inherited by +children created by fork(2) and clone(2), and preserved across execve(2). + +Interface: + +*) The per-process prctl() settings are: + + prctl(PR_MOD_AUTO_RESTRICT_OPTS, PR_SET_MOD_AUTO_RESTRICT, value, 0, 0) + + Where value means: + + 0 - Classic module auto-load permissions, nothing changes. + + 1 - The current process must have CAP_SYS_MODULE to be able to + auto-load modules. CAP_NET_ADMIN should allow to auto-load + modules with a 'netdev-%s' alias. + + 2 - Current process can not auto-load modules. Once set, this prctl + value can not be changed. + + The per-process value may only be increased, never decreased, thus ensuring + that once applied, processes can never relaxe their setting. + +*) The global sysctl setting can be set by writting an integer value to + '/proc/sys/kernel/modautorestrict/autoload' + + The valid values are: + + 0 - Classic module auto-load permissions, nothing changes. + + 1 - Processes must have CAP_SYS_MODULE to be able to auto-load modules. + CAP_NET_ADMIN should allow to auto-load modules with a 'netdev-%s' + alias. + + 2 - Processes can not auto-load modules. Once set, this sysctl value + can not be changed. + +*) Access rules: + First the prctl() settings are checked, if the access is not denied + then the global sysctl settings are checked. + + +The original idea and inspiration is from grsecurity 'GRKERNSEC_MODHARDEN'. + +==========================================================================